The Swiss Federal Council has added the United States to the list of countries with an adequate level of data protection. Starting September 15, 2024, US organizations certified to the Swiss-US Data Privacy Framework (DPF) will be able to receive transfers of personal data from Switzerland without having to implement additional safeguards.
Although US organizations were permitted to become DPF certified starting July 10, 2023, transfers of personal data to the US relying solely on the Swiss-US DPF were delayed until Switzerland confirmed the eligibility of the Swiss-US DPF. Transfers to certified organizations required additional safeguards (such as Standard Contractual Clauses). With the formal eligibility determination, transfers to DPF-certified US companies can now proceed without the additional safeguards.
Like the now-defunct Swiss-US Privacy Shield, the Swiss-US Data Privacy Framework is administered by the US Department of Commerce and US organizations must certify to participate. The certification process involves submitting an application and privacy policy that is compliant with the Swiss-US DPF principles, attesting compliance with the Swiss-US DPF principles, and identifying an independent redress mechanism. Transferred personal data covered by the DPF includes human resources-related data, client or customer data, and personal data collected in business-to-business transactions. For purposes of the DPF, transfer refers not only to the transmission of personal data from Switzerland to the US, but also to access of Swiss personal data (e.g., servers) from the US.